Firefox Now Supports HttpOnly Cookies
You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox 188.8.131.52, which was released just the other day, now supports it.
When a cookie is
To set a
HttpOnly cookie with ColdFusion you need to use
cfcookie doesn't yet support
<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">
It would be nice if the
cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the
jsessionid cookies httpOnly, or secure cookies.
Update: CF9 added a httponly setting to the CFCookie tag. And CF 9.0.1 adds HttpOnly to CFID and CFTOKEN cookies automatically.
Here's a MSDN doc with some additional info about
Firefox's implementation of
HttpOnly however still leaves open a big hole, as RSnake points out, you can do an
XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the
Set-Cookie from the AJAX HTTP response header. +1 for MSIE.
- Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
- Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- AJAX on IE - back to the IFRAME - August 17, 2005
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- Using Mozilla's Certificate Authority List for Java SSL
- SessionRotate solution for JEE Sessions
- False TemplateNotFoundException ColdFusion 9
- ColdFusion defaults avoid flawed Random Number Generator
- Apache Security Patches on CentOS / RHEL
- FuseGuard 2.4 Released
- New HackMyCF Features
- Blocking .svn and .git Directories on Apache or IIS